Keystore 2.0: sepolicy changes for vold to use keystore2

Vold needs to be able to search for keystore2 and keystore2 maintenance
services, and call methods provided by those services.

Bug: 181910578
Change-Id: I6e336c3bfaabe158b850dc175b6c9a942dd717be

private/keystore.te

@@ -24,3 +24,8 @@ unix_socket_send(keystore, statsdw, statsd)
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 
 get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;

private/vold.te

@@ -45,7 +45,11 @@ allow vold vold_key:keystore2_key {
     use
 };
 
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
 # vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;
 
 # vold needs to be able to call earlyBootEnded()

private/wait_for_keymaster.te

@@ -7,3 +7,9 @@ init_daemon_domain(wait_for_keymaster)
 hal_client_domain(wait_for_keymaster, hal_keymaster)
 
 allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;

public/vold.te

@@ -351,6 +351,7 @@ neverallow vold {
   -healthd
   -hwservicemanager
   -iorapd_service
+  -keystore
   -servicemanager
   -system_server
   userdebug_or_eng(`-su')